November 2, 2024
FERC Starts Inquiry on CIP Standards
FERC issued a NOI seeking comments on potential gaps in NERC’s critical infrastructure protection standards and what actions it may need to take.

Citing concerns over the adequacy of NERC’s critical infrastructure protection (CIP) standards, FERC on Thursday issued a notice of inquiry (NOI) seeking comments on potential gaps in the standards and what actions the commission may need to take to improve them (RM20-12).

FERC positioned its NOI as a response to the evolving landscape of cybersecurity threats, with the specific questions derived from a recent review of the National Institute of Standards and Technology’s (NIST) Cyber Security Framework. Commission staff compared the NIST framework with the CIP standards to find topics that may pose a significant risk to reliability of the bulk electric system but are not adequately addressed in the current standards.

FERC CIP standards
FERC Chairman Neil Chatterjee at NERC’s February Board of Trustees meeting. | © ERO Insider

FERC’s filing requests stakeholder feedback on whether the CIP standards are adequate to address the following topics:

  • Cybersecurity risks pertaining to data security;
  • Detection of anomalies and events; and
  • Mitigation of cybersecurity events.

The commission also asked for comments on the danger of a coordinated cyberattack against geographically distributed targets and whether FERC should take action to address this threat.

Deficiencies Found in Data Security Measures

For the first topic, data security, NIST broke the issue down into eight subcategories:

  • Protection of data at rest;
  • Protection of data in transit;
  • Management of assets;
  • Adequate capacity to ensure availability is maintained;
  • Protections against data leaks;
  • Verification of software, firmware and information integrity;
  • Verification of hardware integrity; and
  • Separation of development and testing environments from production environments.

FERC staff found potential shortfalls regarding the fourth subcategory in CIP-011-2 (Information Protection) and CIP012-1 (Communication between Control Centers). CIP-011-2 attempts to maintain the confidentiality and integrity of BES cyber system information but does not address availability of information or apply to low-impact systems. The second standard, CIP-012-1, provides stronger data protection requirements but is limited to real-time assessment and monitoring data transmitted between control centers.

The sixth subcategory — verification of software, firmware and information integrity — may also be insufficient. While CIP-013-1 (Supply Chain Risk Management) was acknowledged to provide some protections of this type, the standard does not address software and firmware integrity for low-impact cyber systems; nor does it apply to information integrity for systems of any impact level.

Low-impact Systems Left out

CIP-008-5 was also considered an applicable standard for the third category, mitigation of cybersecurity events, as it “requires responsible entities to document their cybersecurity incident response plans and provide evidence of incident response processes or procedures that address incident handling.”

However, in addition to not covering low-impact cyber systems, it also does not require containment or mitigation measures. Similarly, while CIP010-2 (Configuration Change Management and Vulnerability Assessments) requires the mitigation of newly identified vulnerabilities, it also does not apply to low-impact systems.

The final area of inquiry, relating to the risk of a coordinated cyberattack on the BES, reflects concerns about the “expanding integration of smaller, geographically distributed generation resources” in the North American electric grid. As with the other topics, FERC identified low-impact BES cyber systems, which include many of these small resources, as a key weakness in this scenario as they are not required to be fully compliant with CIP standards.

FERC asked stakeholders for their feedback on whether sophisticated cyber threat actors could coordinate an attack against multiple resources across a geographically distributed region and whether current protections mandated by the CIP standards are sufficient to address such a risk. The commission will consider this input in deciding whether further updates to the standards may be required.

Comments on the NOI are required within 60 days of its publication in the Federal Register.

CIPFERC & Federal

Leave a Reply

Your email address will not be published. Required fields are marked *